Example (C code) int double(int x) { return 2 * x; }

Slides:



Advertisements
Similar presentations
Amal Khalil & Juergen Dingel
Advertisements

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Symbolic Execution with Mixed Concrete-Symbolic Solving
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
Symbolic execution © Marcelo d’Amorim 2010.
Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.
Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
Synergy: A New Algorithm for Property Checking
PLDI’2005Page 1June 2005 DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
06/12/2007SE _6_12_Design.ppt1 Design Phase Outputs: Completed & Inspected SDS & Integration Test Plan Completed & Inspected System Test Plan.
ISBN Chapter 10 Implementing Subprograms –Semantics of Calls and Returns –Implementing “Simple” Subprograms –Implementing Subprograms with.
DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.
Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Instructor: Alexander Stoytchev CprE 185: Intro to Problem Solving (using C)
Dynamic Program Analysis with Partial Execution and Summary Thomas Huining Feng CHESS, UC Berkeley May 8, 2007 CS.
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
A Test Case + Mock Class Generator for Coding Against Interfaces Mainul Islam, Christoph Csallner Software Engineering Research Center (SERC) Computer.
LECTURE 20: RECURSION CSC 212 – Data Structures. Humorous Asides.
Solving Linear Systems by Substitution
Recursion A recursive definition is one which uses the word or concept being defined in the definition itself Example: “A computer is a machine.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Synergy: A New Algorithm for Property Checking Bhargav S. Gulavani (IIT Bombay)‏ Yamini Kannan (Microsoft Research India)‏ Thomas A. Henzinger (EPFL)‏
Lazy Annotation for Program Testing and Verification (Supplementary Materials) Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang December 3,
Chapter 2 – The Little Crab Program:. Little Crab Scenario Inheritance: The Arrows Denote Hierarchy Crab is an Animal Animal is an Actor Therefore, It.
Dynamic Symbolic Execution (aka, directed automated random testing, aka concolic execution) Slides by Koushik Sen.
Methods What is a method? Main Method the main method is where a stand alone Java program normally begins execution common compile error, trying.
Int fact (int n) { If (n == 0) return 1; else return n * fact (n – 1); } 5 void main () { Int Sum; : Sum = fact (5); : } Factorial Program Using Recursion.
Week 6 MondayTuesdayWednesdayThursdayFriday Testing III Reading due Group meetings Testing IVSection ZFR due ZFR demos Progress report due Readings out.
CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.
Testing It is much better to have a plan when testing your programs than it is to just randomly try values in a haphazard fashion. Testing Strategies:
Recursion ITFN The Stack. A data structure maintained by each program at runtime. Push Pop.
A Static Analyzer for Large Safety-­Critical Software Presented by Dario Bösch, ETH Zürich Research Topics in Software Engineering Dario.
Linear Inequalities in One Variable
Recursion Recursion is a fundamental programming technique that can provide an elegant solution certain kinds of problems © 2004 Pearson Addison-Wesley.
5/9/2018 Advanced Unit Testing David Rabinowitz.
Implementing Subprograms
Willem Visser Stellenbosch University
Scope and Code Generation
A Test Case + Mock Class Generator for Coding Against Interfaces
Factoring if/else code
Recursive Thinking Chapter 9 introduces the technique of recursive programming. As you have seen, recursive programming involves spotting smaller occurrences.
Using local variable without initialization is an error.
Recursive Thinking Chapter 9 introduces the technique of recursive programming. As you have seen, recursive programming involves spotting smaller occurrences.
CSC 253 Lecture 8.
CSC 253 Lecture 8.
Solve a system of linear equation in two variables
Dynamic Symbolic Execution
Govt. Polytechnic,Dhangar
Basic Examples Function Examples Limitation Examples
Elided to examples only
Generics.
Recursion (part 1) October 24, 2007 ComS 207: Programming I (in Java)
Automatic Test Generation SymCrete
Unit 3 Test: Friday.
Basic Examples Function Examples Limitation Examples
When a function is called...
Basic Examples Function Examples Limitation Examples
CUTE: A Concolic Unit Testing Engine for C
Building Java Programs
Recursion.
Factoring if/else code
Recursion.
HW7: Due Dec 5th 23:59 Describe test cases to reach full path coverage of the triangle program by completing the path condition table below. Also, draw.
HW#7 Describe test cases to reach full path coverage of the triangle program by completing the path condition table below. Also, draw the complete execution.
Advanced Analysis of Algorithms
Presentation transcript:

Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ (1) Interface extraction: parameters of toplevel function external variables return values of external functions main(){ int tmp1 = randomInt(); int tmp2 = randomInt(); test_me(tmp1,tmp2); } (2) Generation of test driver for random testing: Closed (self-executable) program that can be run Problem: probability of reaching abort() is extremely low!

DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 36, y = 99

DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 36, y = 99, z = 72 z = 2 * x

DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint Solve: 2 * x == y Solution: x = 1, y = 2 create symbolic variables x, y 2 * x != y x = 36, y = 99, z = 72 z = 2 * x

DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 1, y = 2

DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 1, y = 2, z = 2 z = 2 * x

DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y 2 * x == y x = 1, y = 2, z = 2 z = 2 * x

DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint Solve: (2 * x == y) and (y == x +10) Solution: x = 10, y = 20 create symbolic variables x, y 2 * x == y y != x + 10 x = 1, y = 2, z = 2 z = 2 * x

DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y != x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 10, y = 20

DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 10, y = 20, z = 20 z = 2 * x

DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y 2 * x == y x = 10, y = 20, z = 20 z = 2 * x

DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint Program Error create symbolic variables x, y 2 * x == y x = 10, y = 20, z = 20 z = 2 * x y == x +10

Novelty: Simultaneous Concrete & Symbolic Executions void foo(int x,int y){ int z = x*x*x; /* could be z = h(x) */ if (z == y) { abort(); /* error */ } Assume we can reason about linear constraints only Initially x = 3 and y = 7 (randomly generated) Concrete z = 27, but symbolic z = x*x*x Cannot handle symbolic value of z! Stuck?

Novelty: Simultaneous Concrete & Symbolic Executions void foo(int x,int y){ int z = x*x*x; /* could be z = h(x) */ if (z == y) { abort(); /* error */ } Assume we can reason about linear constraints only Initially x = 3 and y = 7 (randomly generated) Concrete z = 27, but symbolic z = x*x*x Cannot handle symbolic value of z! Stuck? NO! Use concrete value z = 27 and proceed… Take else branch with constraint 27 != y Solve 27 = y to take then branch Execute next run with x = 3 and y = 27 DART finds the error! Replace symbolic expression by concrete value when symbolic expression becomes unmanageable (e.g. non-linear) NOTE: whenever symbolic execution is stuck, static analysis becomes imprecise!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.